On 1/22/22 23:16, William ML Leslie wrote:
> On Sun, 23 Jan 2022, 2:44 pm Mike Stay, <meta...@gmail.com
WebAuthn is based on the work of the FIDO Alliance, which was intended
to be a standards-based answer to Apple's TouchID biometric authN. The
Apple implementation is excellent, as is Google's support for things
like Yubikey (USB-based devices). "Passwordless" authentication is now
It looks like a decent start, but the question I feel
> I want an answer to is how do I do three-party auth if credentials are
> scoped to a hostname...
Well, in a way, there are already (at least) three parties in the
WebAuthn flow - the user, her browser, and the website (RP). I suppose
there's also the phone/biometric hardware, which must also be
authenticated in this flow. Which three parties are you thinking of?
This blog goes into some detail about WebAuthn on the iPhone, and
discusses what I consider a bit of an annoyance (although this is a
"standard", support isn't standard across software).
> You received this message because you are subscribed to the Google
> Groups "cap-talk" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cap-talk+u...@googlegroups.com
> To view this discussion on the web visit